The present invention relates to anomaly detection and bandwidth monitoring and management, and more specifically to the management of data plans within a telecommunications system and the determination of optimal data plans and anomalies as related to users using these plans.
Consequently, carriers and service operators are forced to compete across similar technologies to offer mobile communication solutions. Competition, while somewhat determined by device availability and network coverage, is generally linked to the ‘data plan’ which is offered to the end users and determines the cost. These data plans change frequently, are often tied to multiple users (pooling), and may offer tiered (flex) options allowing users to jump across plans when they go over the pre-established limits. The data overage charges are typically large (often measured in dollars per megabyte), and can add up to a multi-hundred or even multi-thousand dollar charge in a single monthly plan period.
For example, a typical North American Data Plan for a BlackBerry™, Smart Phone or Mobile Broadband USB Modem typically costs approximately $50 per month for a set amount of bandwidth usage. However, if the use exceeds this data limit there are overage charges for all consumption above the allotted limits. These overage charges typically have a cost per megabyte far higher than the Data Plan itself and are often considered punitive.
Users, both corporate and consumer rarely know their data usage needs. Unlike the minutes required on a cell phone for a month, which is more tangible as users can relate to the ‘time they spent on the phone’, data transfer sizes vary depending on compression, resolution, and can often be consumed by background update tasks, antivirus, operating system updates etc. It is difficult for the average user to assess their data usage needs or history.
The conundrum presents itself when carriers want to lock users into a term of contract which is based on data usage when making the sale. To address this, a carrier will typically ask questions about the usage patterns such as: do you use your card to download videos, only for email, or for web browsing. This is used to force the user into some broad categories but is unlikely to be accurate. The end result is that there is either an over purchase of bandwidth or a surprise overage charge for the end user.
There are also security concerns for the enterprise IT department when deploying data access through these devices on public networks. These departments and their users are traditionally locked down with firewalls, proxies, and numerous security and monitoring systems tied into physical access into the corporate LAN/WAN, mobile computers on public networks disappear from the monitoring systems unless forced into using them with VPNs. Existing monitoring methods are generally based on hardware installed in the IT infrastructure of the enterprise, and protect the ‘core networks’ in the office. These systems are not able to monitor the users when using their communications devices on public networks outside the office environment
Prior art relating to anomalous activities such as US2008/0222717 relate anomalies for detecting traffic between users and source/destination based anomalies. However, the anomalies are not related to usage costing, nor are anomalies learned by the system to reduce the volume of anomalies and simplify the determination of anomalies for the end user.
Other prior art such as US2009/0138590 are related to attack prevention based on anomalous activity.
WO/2008/05229 relates to the usage of source and destination addresses used in packet headers to see if anomalous patterns exist in the senders and recipients of data.
U.S. Pat. No. 7,539,147 also teaches a method to detect traffic anomalies relating to attack prevention.
In essence there are a number of different anomalous activities which can be monitored for different reasons on network traffic. The proposed invention considers anomalies based on usage traffic patterns, and a learned behavioral model of traffic usage for plan and cost optimization. It also relates usage data back to a central administrative console capable of managing complex multi-user and interdependent carrier plans allowing the selection and optimization of users and groups and the assigned plans for each.
Related systems exist today, which propose post plan processing methods to review the plan costs from prior months to assess usage, and assist in the selection of new plans. This does not address the real time requirements to avoid overages in the current month such as the proposed current invention. Additionally, existing end user monitoring systems which exist today and run on the end device only, to count and monitor data, do not take into account pooled or flex plan capabilities offered by many carriers which require monitoring from a central service and data aggregation and consolidation. These systems also do not take into effect the usage anomalies and relate these to the security functions as in the current proposed invention.
Existing monitoring systems for anomalies on the end user system are based on key loggers, antivirus/firewalls, and usage monitoring. The logs and events generated by these systems are extensive and a burden to review by the IT manager. These systems also log events as they happen, and do not predict anomalies as does the current invention, allowing the IT manager to react in a pro-active way. Further, many companies have periods where traffic patterns may vary greatly based on time of day, time of week, or time of month/year. Examples include end of week time card entry, end of month accounting events, and end of year inventory. Existing systems do not have the learning capability that the present invention offers to determine true anomalies within these normal trends. Most users and groups of users will also trend up or down over time with their usage as new applications are added or as users rely more on their mobile devices or as more applications become available for mobile users. Existing systems do not have the learning capability of the proposed invention to adjust with these trends and mask out false anomalies caused by this trending.
The current invention learns and adjusts to anomalies rather than forcing the users to define hard rules for them.